From e90972aa2d1d4ef337852ca930cd3a15e1bb066e Mon Sep 17 00:00:00 2001 From: Vincent Andrae Date: Wed, 12 Feb 2025 23:26:22 +0100 Subject: [PATCH 1/3] Fix interposing on MacOS 13 and later - Disable dyld shared cache optimization to resolve interposing failures on MacOS 13 and later. --- iOSOnMac/runner.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/iOSOnMac/runner.c b/iOSOnMac/runner.c index 332a558..925947e 100644 --- a/iOSOnMac/runner.c +++ b/iOSOnMac/runner.c @@ -38,7 +38,7 @@ void instrument(pid_t pid) { } printf("[*] _amfi_check_dyld_policy_self at offset 0x%x in /usr/lib/dyld\n", patch_offset); - + // Attach to the target process kr = task_for_pid(mach_task_self(), pid, &task); if (kr != KERN_SUCCESS) { @@ -105,7 +105,7 @@ void instrument(pid_t pid) { printf("vm_protect failed\n"); return; } - + // MOV X8, 0x5f // STR X8, [X1] // RET @@ -124,7 +124,7 @@ void instrument(pid_t pid) { } puts("[+] Sucessfully patched _amfi_check_dyld_policy_self"); -} +} int run(const char* binary) { pid_t pid; @@ -151,6 +151,7 @@ int run(const char* binary) { // Can be useful for fuzzing //setenv("DYLD_INSERT_LIBRARIES", "/usr/lib/libgmalloc.dylib", 1); + setenv("DYLD_IN_CACHE", "0", 1); char* argv[] = {(char*)binary, NULL}; rv = posix_spawn(&pid, binary, NULL, &attr, argv, environ); @@ -160,6 +161,7 @@ int run(const char* binary) { } unsetenv("DYLD_INSERT_LIBRARIES"); + unsetenv("DYLD_IN_CACHE"); printf("[+] Child process created with pid: %i\n", pid); From 85f505e8955128a26c2687166ab0c20379da5837 Mon Sep 17 00:00:00 2001 From: Vincent Andrae Date: Wed, 12 Feb 2025 23:27:53 +0100 Subject: [PATCH 2/3] Load interpose.dylib dynamically at runtime --- iOSOnMac/Makefile | 5 ++--- iOSOnMac/runner.c | 1 + 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/iOSOnMac/Makefile b/iOSOnMac/Makefile index 2591237..ec19141 100644 --- a/iOSOnMac/Makefile +++ b/iOSOnMac/Makefile @@ -3,9 +3,8 @@ all : runner main interpose.dylib interpose.dylib : interpose.c clang interpose.c -arch arm64 -o interpose.dylib -shared -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk -main : main.c interpose.dylib - # Can link against existing frameworks/libraries here by copying them onto ./Frameworks and adding `-F $(PWD)/Frameworks -framework $NAME_OF_FRAMEWORK -Wl,-rpath,$(PWD)/Frameworks - clang main.c -arch arm64 -o main -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk interpose.dylib +main : main.c + clang main.c -arch arm64 -o main -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk runner : runner.c entitlements.xml clang runner.c -o runner diff --git a/iOSOnMac/runner.c b/iOSOnMac/runner.c index 925947e..71cc70d 100644 --- a/iOSOnMac/runner.c +++ b/iOSOnMac/runner.c @@ -152,6 +152,7 @@ int run(const char* binary) { // Can be useful for fuzzing //setenv("DYLD_INSERT_LIBRARIES", "/usr/lib/libgmalloc.dylib", 1); setenv("DYLD_IN_CACHE", "0", 1); + setenv("DYLD_INSERT_LIBRARIES", "interpose.dylib", 1); char* argv[] = {(char*)binary, NULL}; rv = posix_spawn(&pid, binary, NULL, &attr, argv, environ); From acc8ba622270c75c82da88f740c3f94e73f36594 Mon Sep 17 00:00:00 2001 From: Vincent Andrae Date: Wed, 12 Feb 2025 23:30:25 +0100 Subject: [PATCH 3/3] Update Makefile: xcrun path resolution, ldid support, clean target - Use xcrun for clang and SDK path resolution. - Added support for signing with ldid. - Introduced a clean target. --- iOSOnMac/Makefile | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/iOSOnMac/Makefile b/iOSOnMac/Makefile index ec19141..3886263 100644 --- a/iOSOnMac/Makefile +++ b/iOSOnMac/Makefile @@ -1,12 +1,28 @@ -all : runner main interpose.dylib +CLANG_MACOS := xcrun --sdk macosx -r clang +CLANG_IOS := xcrun --sdk iphoneos -r clang +IOS_SYSROOT := $(shell xcrun --sdk iphoneos --show-sdk-path) +CLANG_IOS_FLAGS := -arch arm64 -isysroot $(IOS_SYSROOT) -interpose.dylib : interpose.c - clang interpose.c -arch arm64 -o interpose.dylib -shared -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk +.PHONY: all clean +all: runner main interpose.dylib -main : main.c - clang main.c -arch arm64 -o main -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk +interpose.dylib: interpose.c + $(CLANG_IOS) $(CLANG_IOS_FLAGS) -shared -o interpose.dylib interpose.c -runner : runner.c entitlements.xml - clang runner.c -o runner - # Replace this identity, find available certificates usign `security find-identity` - codesign -s "XXXXXXXXXX" --entitlements entitlements.xml --force runner +main: main.c + $(CLANG_IOS) $(CLANG_IOS_FLAGS) -o main main.c + +runner: runner.c entitlements.xml + $(CLANG_MACOS) -o runner runner.c + @if [ -n "$(IDENTITY)" ]; then \ + codesign -s "$(IDENTITY)" --entitlements entitlements.xml --force runner; \ + elif command -v ldid >/dev/null 2>&1; then \ + ldid -Sentitlements.xml runner; \ + else \ + echo "Error: No signing method available. Set IDENTITY or install ldid."; \ + echo "Find available certificates using: security find-identity"; \ + exit 1; \ + fi + +clean: + @rm -f runner interpose.dylib main